CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Missing Authorization vulnerability in Wappointment team Wappointment wappointment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wappointment: from n/a through <= 2.7.6.
AnalysisAI
Authorization bypass in Wappointment WordPress plugin versions ≤2.7.6 enables low-privileged authenticated attackers to perform unauthorized actions with high impact to confidentiality, integrity, and availability. The vulnerability stems from missing authorization checks (CWE-862), allowing authenticated users to access or modify data beyond their intended permission level. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability, and no confirmed active exploitation (CISA KEV) or public exploit code is identified at time of analysis.
Technical ContextAI
This vulnerability affects Wappointment, a WordPress appointment booking plugin, through a missing authorization implementation (CWE-862: Missing Authorization). CWE-862 occurs when an application does not verify that a user has the appropriate permissions before granting access to sensitive operations or resources. In WordPress plugins, this typically manifests when AJAX handlers, REST API endpoints, or admin functions fail to implement capability checks (e.g., current_user_can()) before executing privileged operations. The vulnerability allows low-privileged authenticated users (PR:L in CVSS vector) to exploit improperly configured access control mechanisms, potentially accessing appointment data, modifying bookings, or manipulating plugin settings that should be restricted to administrators. The network-accessible attack vector (AV:N) with low attack complexity (AC:L) means exploitation requires only standard HTTP requests once authenticated, without additional conditions or race conditions.
Affected ProductsAI
The vulnerability affects Wappointment WordPress plugin versions up to and including 2.7.6. Wappointment is an appointment booking and scheduling plugin for WordPress developed by Wappointment team, commonly used by service businesses, healthcare providers, and consultants to manage client appointments. All installations running version 2.7.6 or earlier contain the missing authorization vulnerability. The vendor advisory is available through Patchstack at https://patchstack.com/database/Wordpress/Plugin/wappointment/vulnerability/wordpress-wappointment-plugin-2-7-2-broken-access-control-vulnerability?_s_id=cve which provides detailed affected version information and exploitation details.
RemediationAI
Update Wappointment plugin to version 2.7.7 or later, which addresses the missing authorization checks. WordPress administrators should navigate to the WordPress admin dashboard, select Plugins, locate Wappointment, and click Update if the update is available through the WordPress plugin repository. For installations where immediate patching is not feasible, implement temporary compensatory controls by restricting WordPress user roles to only trusted administrators and reviewing user permission levels to minimize the attack surface for low-privileged accounts. Conduct an audit of appointment data and plugin settings to identify any unauthorized modifications that may have occurred prior to patching. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wappointment/vulnerability/wordpress-wappointment-plugin-2-7-2-broken-access-control-vulnerability?_s_id=cve for additional remediation guidance and indicators of compromise specific to this vulnerability.
Share
External POC / Exploit Code
Leaving vuln.today